Windows 2000 Security. Security. Terminology. Terminology. Terminology. Terminology. Security. Security. Groups. Encrypted File Security (EFS)
|
|
- Sabina Preston
- 5 years ago
- Views:
Transcription
1 Terminology Security Windows 000 Security Access Control List - An Access Control List is a list of Access Control Entries (ACEs) stored with the object it protects ACE Inheritance - Inheritance allows a given ACE to be propagated from the container where it was applied to all children of the container M04 Josef Beeking Terminology Security Terminology Security Delegation - Delegation allows a higher administrative authority to grant specific administrative rights for containers and subtrees to individuals and groups Certificate Authority - A Certificate Authority (CA) is simply an entity or service that issues certificates Encrypting File System (EFS) - EFS provides the core file encryption technology to store Windows NT file system (NTFS) files encrypted d on disk IPSEC - IPSEC defines protocols for network encryption at the IP protocol layer Kerberos - A transitive and hierarchical security protocol that is an Internet security standard Public Key Infrastructure (PKI) - An n integrated set of services and administrative tools for creating, deploying, and managing Public- Key-based applications Terminology Encrypted File Security (EFS) Domain Local Group - A Domain Local group can be used on ACLs only in its own domain - A Global group can appear on ACLs anywhere in the Forest Local Group - As in earlier versions of Windows NT, administrators on member servers and workstations can create Local groups Universal Group - A Universal group is the simplest form of group Utilized to protect sensitive data Encryption is done on file or parent directory Encryption is set in advanced attributes page of the file or directory Deployment: Cannot encrypt and compress
2 Encrypted File Security (EFS) EFS-Recovery Utilized to protect sensitive data Encryption is done on file or parent directory Encryption is set in advanced attributes page of the file or directory Designated Recovery Agents can recover encrypted data for a domain There must be at least one Recovery Agent Recovery keys can be exported as a file and kept physically secure (e.g. floppy) Intrinsic Security Agenda Intrinsic Security Introduction Access Control Rights Permissions Inheritance Delegated Administration Defined attributes of intrinsic security Rules for inheritance Object and attribute security Intrinsic Security Access Control Intrinsic Security Access Control Rights Apply to groups and users Define capability to perform an operation (backup files, etc.) Permissions Security Attributes of an Object Specify who and what Rights may override Permissions Permissions may be applied at the object or attribute level Scope of permissions: Current Object Object and its children Only to children Only to specific children
3 Intrinsic Security Delegation Intrinsic Security Delegation Delegate entire container or 4 different sub-container attributes 6 types of general permissions 54 individual property permissions 88 individual creation/deletion permissions Delegate Entire Container when: Scope of Administration will not be restricted When passing authority of a sub-tree Delegate Partial Container when: Assigning authority for task administration (printers, users, etc.) Intrinsic Security Delegation Delegated to: - Admins May not modify access rights, create/ delete containers or intellimirror groups. Intrinsic Security Rules for Delegation Restrict permissions that have wide scopes Never delegate entire container except when no higher authority exists Task delegation: Grant only permissions necessary for task IT Structure Recommended Delegation Computers Users Printers Delegated to: -Account Admins-MANF May only create/delete user and group objects. Delegated to: -Printer Admins-MANF May only create/delete printer objects. Centralized Decentralized Distributed Always task based Permissions are always delegated Limited Intrinsic Security Summary Server Roles Security Policies Rights and Permissions Inheritance Access Control Delegated Administration Security is the balance between providing easy access and protecting valuable data Various types of security in Windows 000 Kerberos PKI IPSec Certificate Authorities Security Configuration Editor Policy based security
4 Agenda Purpose and Function Global Domain Local Universal Defined Purpose Design Considerations New and improved for Windows 000 Universal Domain Local Global Group Nesting Security and May contain Users and Computers ease account management Security Structures Global Hierarchical Management Use security structures to reflect administrative hierarchy contain security principals contain other groups manage groups Reduces the points of Administration May contain members only from the hosting domain Members may include User objects Global groups from their own domain May be members of universal and domain local groups Usage Controlled membership scope Foundation of security structures Assign to resources anywhere Admins Account Admins Printer Admins Global Admins Account Admins Printer Admins Users (Contains all Users in ) Global Users (Contains all Users in ) Admins SQL Admins Global Printer Admins Users (Contains all Users in ) Admins SQL Admins Printer Admins Users (Contains all Users in ) Global
5 Domain Local Domain Local Usage May contain members from any domain Members may include User objects Universal and Global groups Domain local groups from their own domain May be members of domain local groups* Admins Domain Local Group Admins muser madmin Intended for local usage and global membership Parent of security structure for local domain Admins duser dadmin Admins Domain Local Group Universal Admins muser madmin May contain members from any domain Members may include User objects Global groups Universal groups from any domain Members of local domain and universal groups Admins duser dadmin Can only be used in Referenced from any domain Universal Group Universal Usage Domain Local Group Admins Users Admins Users Build structure (child and parent) Should contain only other groups Use cautiously Restricts ability to create Can only be used in Referenced from any domain Universal Group Admins Users Domain Local Group Admins Users Admins Admins Users Users
6 Design Considerations Can only be used in Referenced from any domain Admins Users Domain Local Group Can only be used in Referenced from any domain Universal Group Domain Local Group Admins Users Admins Users All Users Domain Local Can only be Group used in Admins Foundation of user management Plan well User classifications A basis for policy Performance Universal group membership well known Universal Group Admins Users All Users Domain Local Can only be Group used in Admins Users Users All Users Universal Group All Users Universal Group Referenced from any domain Referenced from any domain Mixed Mode Restrictions Summary Universal groups are for distribution only Global groups may only contain accounts and may not be nested Local groups may contain accounts and global groups but may not be nested Global Domain Local Universal Contain members only from the local domain Provide access to resources anywhere Contain members from any domain Provide access to resources in a single domain Contain members from any domain Provide access to resources anywhere Plan well Administrative units Global Catalog implications Concepts Agenda Policy Selection Rules of Policy Policy Planning Design Considerations Defining Policy Understanding the architecture Rules of policy The ease of policy The web of policy Design impact of policy
7 Overview Concepts Policy: The ability for a wish to be stated once, and carried out many times is associated with a container Policy applies to users and computers within a container Policy processed by computer at startup Policy processed by client at logon Refresh occurs every 90 minutes (w. 30 min. offset) GPO ( Object) is a collection of settings that will affect a given user or computer affects subjects regardless of physical location A single GPO may contain hundreds of individual settings A GPO is made up of a GPT stored on SysVol and a GPC stored in the Active Directory may be associated with the Local computer, Site(s), Domain(s), or Organizational Unit(s) (SDOU) Rules of Policy Inheritance Inheritance GP is inherited by children within a domain Cumulation GP aggregates and accumulates Filtering GP may be targeted at specific groups of users or computers through filtering Policy is inherited by child containers (Site acts like a parent of both Domain and OU) Inheritance may be influenced Blocking a flag on a container Applied to the entire container Enforced by the GPO Specified on a per policy basis Inheritance GPO = False GPO = False STOP Users STOP Users GPO STOP = False GPO inherited by Default Block Policy Inheritance flag blocks all inherited policy Blocking policy also prevents further inheritance by child containers GPO STOP = False Users Users
8 Inheritance GPO No Override GPO No Override Users No Override flag may be set on each GPO Negates the effect of Blocking containers Does not allow any settings within policy to be overridden Users Inheritance Inheritance Sites and Policy Sites act like parents of domains for the purpose of policy Means that Site Policy may affect only a portion of a Domain or OU For a site that spans two domains, the Site s actual GPO is stored in one of the domains SITE-B GP SITE-A No Override GP G O STOP Users Site-A All users in Site-A receive GP Site-B Only users in Site-B B in Domain receive GP Users SITE-A GP No Override Cumulation SITE-B GP STOP G O Users Cumulation: : Policy applied sequentially in order of priority setting Applies to containers and inheritance May be aggregate or truly cumulative Most duplicated policies will be set multiple times (cumulative) Tiered policy such as scripts and software installation may aggregate Users
9 Cumulation GP A-, B- GP GP GP A-, B- = Users Effective Policy GP3 A-, B- A-0, B- = Effective Policy A-0, B- C- = Effective Policy A-0, B-,C- Policies are applied by SDOU Effective Policy Policy applied in order Overriding policy The applicable effects of policy = Effective Policy A-, B- A-0, B- = Effective Policy A-0, B- Users GP3 C- = Effective Policy A-0, B-,C- NoOverride NoOverride NoOverride GP GP GP3 GP4 GP5 GP6 A-,D0 B- C- A-, C A- A-3,B-3,C- Cumulation GP7 GP8 GP9 What's my group policy? Users A-3,B-4,C-5 C-,D-,E- A-,D-,E- Cumulation also applies to policies within a container Setting within a policy marked for no-override override cannot be changed at lower level Tracking effective policy can be tricky but it is critical NoOverride GP A-,D0 GP B- GP3 C- NoOverride GP4 A-, C GP5 A- NoOverride GP6 A-3,B-3,C- What's my group policy? Users GP7 A-3,B-4,C-5 GP8 C-,D-,E- GP9 A-,D-,E- Filtering Filtering Policy applies to authenticated users by default! Policy selection based on ACL Filtering may be inclusive, exclusive, or explicitly denied I receive policy for which I am mentioned I will not receive policy that I am mentioned in, but un- allowed (or not mentioned) I will not receive policy for which I am mentioned and also explicitly denied Notes on filtering Explicitly denying a policy will always override future grants of the policy based on other group membership (Deny( overrides all other permissions) Un-allowing a policy has the effect of deny except: Another grant of the policy based on other group membership will allow the policy Always un-allow unless a group should not receive a policy under any circumstances
10 Filtering GP User : A=, B= Filters : Task Users (Allow), Office Users ( Deny ) Other Users ( Deny ) GP User : A=, B= Filters: Task Users (Allow), Office Users (Deny) Other Users (Deny) Users GP User : A=, B= Task Users Filter: Office Users (Allow), juser Task Users ( Unallow) Other Users (Unallow) Office Users suser Other Users Effective Policy (GP) User : none Effective Polciy (GP) User : none Effective Policy (GP) User : none Effective Polciy (GP) User : A=, B= GP: Denies Other Users group, of which juser is a member juser gets no policy GP: Un-allows Other Users group of which suser is a member suser still gets policy because of grant on Office Users GP User : A=, B= Filter : Office Users (Allow), Task Users ( Unallow ) Other Users ( Unallow ) Users Task Users juser Office Users suser Other Users Effective Policy (GP) User : none Effective Polciy (GP) User : none Effective Policy (GP) User : none Effective Polciy (GP) User : A=, B= (Note: Cumulation and Inheritance are not included in this example) Planning Planning - where to associate what Two strategies Group Based Policy based on users Example: (Which users get what software?) Task Based Policy based on action Example: (Location A must always use IPSec) Site Network Location dependent security Domain Enterprise business rules Domain level security OUs Departmental Tasks Planning Naming GPOs Planning Guidelines - Enhancing Performance Follow a standard naming convention Subject type Scope Intent Limit the number of GPOs that affect any given computer or user Number of GPOs directly affects client performance Use security groups to filter the affect of - this reduces the real number of GPOs that a Computer (at startup) or User (at logon) must process Disable unused portion of the GPO User or Computer portions of a GPO may be disabled Naming Convention should reflect usage
11 Planning-Best Practices Limit how often is updated: Limit number of Administrators that can edit GPOs Updates require replication between all DCs The scope may be HUGE, for example: Think of this as Regedit for the AD Application installation and removal for users and computers Security: set file system ACL s for 000 users or computers Use test GPOs Concepts Policy Selection Rules of Policy Policy Planning Design Considerations Summary Objects Policy application based on subject and object Policy applied on containers affects objects Inheritance Cumulation Filter Understand the impact and the implications Understand the power Understand the organizational structure Limiting resources that can set policy Regedit for Active Directory Security Agenda Kerberos Introduction Kerberos PKI IPSec PKI Usage Defining technologies and implementations Setting boundaries Security considerations Feature sets Security impact Default Authentication Protocol for Windows 000 Enables transitive trust of domains within a forest Mutual Authentication Efficient Authentication KDC not required during resource access Industry Standard Interoperable with any other v5 Kerberos Terms Kerberos Key Center (KDC) Authentication Server (AS) Ticket Granting Server (TGS) (Runs on all Domain Controllers) Tickets Ticket Granting Ticket (TGT) Session Ticket used to acquire Tickets Ticket - Record For Client Server Privilege Attribute Certificate (PAC) Session Key Time Stamp... More about time stamps SNTP built into Windows 000 DC time replication Client time replication Impact Non Windows 000 clients require NTP client
12 Windows 000 Kerberos - Local Logon Windows 000 Kerberos - Domain Logon Local Account - Logon to Local Machine Uses MSV_0 (NTLM) Kerberos Fails and GINA (Global Identification Network Authentication) tries next Authorization Package User AS Req (Name, Dom, Serv) KDC AS Reply (TGT) TGS Req (TGT, Name, Dom, Serv) TGS Rep (Workstation Key) Kerberos Resource Access - Same Domain Kerberos-Cross Realm User Ticket Request Kerberos KDC Juser wants access to BOB in NW realm (domain) ) juser sends TGS_REQ to NE KDC ) NE KDC replies with session key for 3) juser sends TGS_REQ to KDC with target info 4) KDC replies with session key for NW. Ticket Target Server Ticket User Authenticated KDC juser NE..com 4 KDC 3.com Bob KDC NW..com 5) juser sends TGS_REQ to NW KDC with target info 6) NW KDC replies with TGT and authorization data for Bob 7) juser sends AP_REQ to Bob with TGT and authorization data 8) Bob replies with authenticator (optional) *Same session ticket is used for access to Bob Windows 000 Kerberos Interoperability.com KDC KDC 6 7 juser NE..com 8 Bob KDC NW..com Windows 000 Workstation can use UNIX KDC For database servers not using Window 000 s access control (name based on Authentication only), can only validate user name Windows 000 interoperate with MIT s KDCs in cross-realm realm trusts Using shadow/proxy accounts in the Windows 000 domain Windows 000 cannot use MIT s KDCs as authentication server (interactive logon) MIT s implementation misses several services necessary for Kerberos in Windows 000
13 Security Properties Authentication Verifying the source Integrity Data arrives as it was shipped Confidentiality Encryption Anti-Replay Elusive algorithms Non-Repudiation Once a packet has been sent, the source cannot deny sending it IP Security Network Level Authentication Transparent Application Independent Data Integrity Confidentiality Open Industry Standard Interoperable Extends to VPNs IP Security Policy IP Security Policy Define type and level Negotiation Policy Defines if a computer will request, respond or require IPSec Filters Defines additional restrictions when communicating via IPSec Security Policy Defines which computers will communicate via IPSec Options Responder Will only communicate with IPSec when requested Initiator Will request IPSec communication, but will talk in the clear Lockdown Will only communicate via IPSec IP-Sec:Policies and Rules Each IP Security Policy consists of rules A rule includes the following: IP filter settings Negotiation policies Authentication methods IP tunnel settings Connection types IP-Sec:Available Protection Services Integrity algorithms: HMAC-MD5: MD5: 8-bit key HMAC-SHA SHA-: 60-bit key Confidentiality algorithms: 40DES: 40-bit key 3DES: 56-bit key with triple encryption DES-CBC: 56-bit key with replay prevention Security Protocols for Data and Identity protection services: AH: Identity protection with authentication, integrity and anti-replay services ESP: Integrity and confidentiality services
14 Public Key Infrastructure Windows 000 PKI Cryptography Keys Certificates Microsoft Certificate Server Public Key Security Components Smartcard Interfaces Authenticode CryptoAPI Message Standards (PKCS) Applications Certificate Management Services Network APIs Secure Channel File I/O Crypto Services EFS Reader Device Driver Hardware CSP RSA Base CSP PKI-Cryptography & Keys Digital Certificates SENDER Public Key Private Key Algorithm Recipient Digital Certificate User Name: Serial Number: Public Key Expires: MM/DD/YY DATA Recipient Public Key Encypted Data = Algorithm Encypted Data Algorithm = DATA Recipient Private Key Public Key Certificate Authority Certificate Server Internet Services - Certificate Server Users may request X.509 certificates Independent of Active Directory Standards Support PKCS #0 PKCS #7 X.509 v. & v.3 Key Management Enterprise CA Corporate Root or Subordinate Active Directory policy & publishing Stand Alone CA Root issues to external CAs Subordinate may trust Internal Stand-alone alone Root CA External Root Authority (Verisign etc)
15 When To Use Certificates? PKI Usage Remote access authentication LTP/IPSec tunnel IPSec tunnel Interoperability with other systems Specialized enterprise network security To establish IPSec trust group for smaller group than the domain To establish IPSec trust group for computers across untrusted domains PKI Client Authentication Code Signing Smart Card Logon Remote Access Application Secure e PKI Usage VPN Solutions PKI - Client Authentication Uses HTTPS for Internet Information Server EAP/TLS for Remote Access Services (RAS) LDAP over SSL for Directory Services Authentication of non-windows 000 users VPN Use PPTP for client tunneling Use IPSec/LTP for LAN to WAN access Tunneling clients and servers Windows NT 4.0, Windows PPTP/LTP Windows 95 and Windows 98 - PPTP only IPSec Usage Planning Summary IP Security LAN to WAN communication over public network IPSec and ISA KMP IPSec/LTP Client to Server communication over public network (POTS/ISP) PPTP IPSec/LTP PKI Deployment Considerations Trust relationships between Certification Authorities and domains CA hierarchies and domain topology Certificate enrollment/renewal methods for users and machines CRL publication frequency Code signing process Smart card hardware
16 Planning - Summary Plan scope of PKI usage Specific or Global usage Plan Certificate hierarchy CA Root, Mappings, and Certs Plan IPSec Scope, Policies and Capacity Plan Kerberos Trusts Extensions Server Roles Security Policies Rights and Permissions Inheritance Access Control Delegated Administration Security Summary Security is the balance between providing easy access and protecting valuable data Various types of security in Windows 000 Kerberos PKI IPSec Certificate Authorities Security Configuration Editor Policy based security
Implementing Security in Windows 2003 Network (70-299)
Implementing Security in Windows 2003 Network (70-299) Level 1 Authorization & Authentication 2h 20m 20s 1.1 Group Strategy 1.2 Group Scopes 1.3 Built-in Groups 1.4 System or Special Groups 1.5 Administrating
More information70-742: Identity in Windows Server Course Overview
70-742: Identity in Windows Server 2016 Course Overview This course provides students with the knowledge and skills to install and configure domain controllers, manage Active Directory objects, secure
More informationCertification Authority
Certification Authority Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing Design Requirements Designing a Hierarchy Structure Identifying
More informationIT222 Microsoft Network Operating Systems II
1 ITT Technical Institute IT222 Microsoft Network Operating Systems II Unit 1: Chapters 1 & 2 2 Chapter 1 OVERVIEW OF ACTIVE DIRECTORY Chapter 1: Overview of Active Directory, pp. 1 23 Chapter 2, Implementing
More informationAdvanced Security Measures for Clients and Servers
Advanced Security Measures for Clients and Servers Wayne Harris MCSE Senior Consultant Certified Security Solutions Importance of Active Directory Security Active Directory creates a more secure network
More informationManaging Group Policy application and infrastructure
CHAPTER 5 Managing Group Policy application and infrastructure There is far more to managing Group Policy than knowing the location of specific policy items. After your environment has more than a couple
More informationManaging Group Policy application and infrastructure
CHAPTER 5 Managing Group Policy application and infrastructure There is far more to managing Group Policy than knowing the location of specific policy items. After your environment has more than a couple
More informationIdentity with Windows Server 2016 (742)
Identity with Windows Server 2016 (742) Install and Configure Active Directory Domain Services (AD DS) Install and configure domain controllers This objective may include but is not limited to: Install
More informationms-help://ms.technet.2004apr.1033/win2ksrv/tnoffline/prodtechnol/win2ksrv/howto/efsguide.htm
Page 1 of 14 Windows 2000 Server Step-by-Step Guide to Encrypting File System (EFS) Abstract This document provides sample procedures that demonstrate the end-user and administrative capabilities of the
More informationKerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos
Kerberos and Public-Key Infrastructure Key Points Kerberos is an authentication service designed for use in a distributed environment. Kerberos makes use of a thrusted third-part authentication service
More informationUser Authentication Principles and Methods
User Authentication Principles and Methods David Groep, NIKHEF User Authentication - Principles and Methods 1 Principles and Methods Authorization factors Cryptographic methods Authentication for login
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST IT Certification Guaranteed, The Easy Way! \ http://www.pass4test.com We offer free update service for one year Exam : 070-220 Title : Designing Security for a Microsoft Windows 2000 Network
More informationWindows Server 2003 Network Administration Goals
Objectives Differentiate between the different editions of Windows Server 2003 Explain Windows Server 2003 network models and server roles Identify concepts relating to Windows Server 2003 network management
More informationConfigure advanced audit policies
7 LESSON Configuring Advanced Audit Policies 70-411 EXAM OBJECTIVE Objective 2.4 Configure advanced audit policies. This objective may include but is not limited to: implement auditing using Group Policy
More informationms-help://ms.technet.2004apr.1033/win2ksrv/tnoffline/prodtechnol/win2ksrv/howto/grpolwt.htm
Page 1 of 17 Windows 2000 Server Step-by-Step Guide to Understanding the Group Policy Feature Set Operating System Abstract Group Policy is the central component of the Change and Configuration Management
More informationCourse Outline 20742B
Course Outline 20742B Module 1: Installing and configuring domain controllers This module describes the features of AD DS and how to install domain controllers (DCs). It also covers the considerations
More informationBIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0
BIG-IP Access Policy Manager : Secure Web Gateway Version 13.0 Table of Contents Table of Contents BIG-IP APM Secure Web Gateway Overview...9 About APM Secure Web Gateway... 9 About APM benefits for web
More informationMOC 6232A: Implementing a Microsoft SQL Server 2008 Database
MOC 6232A: Implementing a Microsoft SQL Server 2008 Database Course Number: 6232A Course Length: 5 Days Course Overview This course provides students with the knowledge and skills to implement a Microsoft
More informationCISNTWK-11. Microsoft Network Server. Chapter 4
CISNTWK-11 Microsoft Network Server Chapter 4 User and Group Accounts 1 Usage Notes Throughout these slides, the term Active Directory Domain implies Domains Based on Windows Server 2008 Based on Windows
More informationModule 9. Configuring IPsec. Contents:
Configuring IPsec 9-1 Module 9 Configuring IPsec Contents: Lesson 1: Overview of IPsec 9-3 Lesson 2: Configuring Connection Security Rules 9-11 Lesson 3: Configuring IPsec NAP Enforcement 9-21 Lab: Configuring
More informationThe SafeNet Security System Version 3 Overview
The SafeNet Security System Version 3 Overview Version 3 Overview Abstract This document provides a description of Information Resource Engineering s SafeNet version 3 products. SafeNet version 3 products
More informationWindows Server 2008 Active Directory Resource Kit
Windows Server 2008 Active Directory Resource Kit Stan Reimer, Mike Mulcare, Conan Kezema, Byron Wright w MS AD Team PREVIEW CONTENT This excerpt contains uncorrected manuscript from an upcoming Microsoft
More informationXenApp 5 Security Standards and Deployment Scenarios
XenApp 5 Security Standards and Deployment Scenarios 2015-03-04 20:22:07 UTC 2015 Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement Contents XenApp 5 Security Standards
More information20413B: Designing and Implementing a Server Infrastructure
20413B: Designing and Implementing a Server Infrastructure Course Outline Course Introduction Course Introduction Module 01 - Planning a Server Upgrade and Migration Lesson 1: Upgrade and Migration Considerations
More informationITdumpsFree. Get free valid exam dumps and pass your exam test with confidence
ITdumpsFree http://www.itdumpsfree.com Get free valid exam dumps and pass your exam test with confidence Exam : 70-220 Title : Designing Security for a Microsoft Windows 2000 Network Vendors : Microsoft
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Authentication Applications We cannot enter into alliance with neighbouring princes until
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationInstall and Configure Active Directory Domain Services
Active Directory 101 Install and Configure Active Directory Domain Services Sander Berkouwer CTO at SCCT 10-fold Microsoft MVP Active Directory aficionado Daniel Goater Systems Engineer Netwrix Active
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationIdentity with Windows Server 2016
Identity with Windows Server 2016 Course 20742B - 5 Days - Instructor-led, Hands on Introduction This five-day instructor-led course teaches IT Pros how to deploy and configure Active Directory Domain
More information6 Months Training Module in MS SQL SERVER 2012
6 Months Training Module in MS SQL SERVER 2012 Module 1 Installing and Configuring Windows Server 2012 Installing and Managing Windows Server 2012 Windows Server 2012 Overview Installing Windows Server
More informationMobile Secure Management Platform
Mobile Secure Management Platform Mobile Automation Security Analysis White Paper Document Revision 5.1 Document ID: MLMS security white paper 5.1.2.doc July 2, 2003 Prepared by: Revision History VERSION/RELEASE
More informationManaging External Identity Sources
CHAPTER 5 The Cisco Identity Services Engine (Cisco ISE) integrates with external identity sources to validate credentials in user authentication functions, and to retrieve group information and other
More informationx CH03 2/26/04 1:24 PM Page
03 078973107x CH03 2/26/04 1:24 PM Page 45 3............................................. Setting Up, Managing, and Troubleshooting Security Accounts and Policies 1. You re a help desk technician for your
More informationIntroduction to LAN Introduction to TDC 363 Lecture 05 Course Outline What is NOS?
Introduction to LAN TDC 363 Lecture 05 Nt Network rkoprti Operating Systems tm Windows Based Networking NetWare Based Networking Book Reading: Chapters 8 1 Course Outline Network operating system (NOS)
More informationAt Course Completion: Course Outline: Course 20742: Identity with Windows Server Learning Method: Instructor-led Classroom Learning
Course Outline: Course 20742: Identity with Windows Server 2016 Learning Method: Instructor-led Classroom Learning Duration: 5.00 Day(s)/ 40 hrs Overview: This five-day instructor-led course teaches IT
More informationPublic Key Technology in Windows 2000
01 pp. 001-182.qxd 2/6/01 9:38 AM Page 105 Chapter 4 Public Key Technology in Windows 2000 The Windows 2000 operating system has a built-in public key infrastructure (PKI) to address the business needs
More information8 Administering Groups
8 Administering Groups Exam Objectives in this Chapter: Plan a security group hierarchy based on delegation requirements. Plan a security group strategy. Why This Chapter Matters As an administrator, you
More informationIBM. Security Digital Certificate Manager. IBM i 7.1
IBM IBM i Security Digital Certificate Manager 7.1 IBM IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in
More informationTechnical MCSE. Content:
www.whanet.co.uk Technical MCSE Content: Foreword...1 Module Outline...2 Exchange Server 4.0 Series...2 Exchange Server 5.0 Series (Exam 70-076)...3 Exchange Server 5.5 Series...5 IIS 4 Series...7 Networking
More informationNetwork Security Essentials
Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of
More informationIBM i Version 7.2. Security Digital Certificate Manager IBM
IBM i Version 7.2 Security Digital Certificate Manager IBM IBM i Version 7.2 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 15 Electronic Mail Security Despite the refusal of VADM Poindexter and LtCol North to appear,
More informationM20742-Identity with Windows Server 2016
M20742-Identity with Windows Server 2016 Course Number: M20742 Category: Technical Microsoft Duration: 5 days Certification: 70-742 Overview This five-day instructor-led course teaches IT Pros how to deploy
More informationActive Directory Attacks and Detection
Active Directory Attacks and Detection #Whoami Working as an Information Security Executive Blog : www.akijosberryblog.wordpress.com You can follow me on Twitter: @AkiJos This talk is Based on Tim Madin
More informationCourse Content of MCSA ( Microsoft Certified Solutions Associate )
Course Content of MCSA 2012 - ( Microsoft Certified Solutions Associate ) Total Duration of MCSA : 45 Days Exam 70-410 - Installing and Configuring Windows Server 2012 (Course 20410A Duration : 40 hrs
More informationSecurity Digital Certificate Manager
System i Security Digital Certificate Manager Version 6 Release 1 System i Security Digital Certificate Manager Version 6 Release 1 Note Before using this information and the product it supports, be sure
More informationDesigning and Operating a Secure Active Directory.
Designing and Operating a Secure Active Directory Introduction Gil Kirkpatrick, CTO, NetPro Architect of NetPro Active Directory products Author of Active Directory Programming from SAMS Founder of the
More informationMicrosoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security
Operating System Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security White Paper Abstract The Microsoft Windows operating system includes technology to secure communications
More informationIdentity with Microsoft Windows Server 2016 (MS-20742)
Identity with Microsoft Windows Server 2016 (MS-20742) Modality: Virtual Classroom Duration: 5 Days SATV Value: 5 Days SUBSCRIPTION: Master, Premium About this course Windows Server vnext, which we now
More informationServer : Advanced Services 3 1 x
Server : Advanced Services 3 1 x Revised 2016/05/17 TestOut Server Pro: Advanced Services English 3.1.x Videos: 56 (5:12:20) Demonstrations: 84 (9:20:07) Simulations: 47 Written Lessons: 92 Section Quizzes:
More informationAdvanced Clientless SSL VPN Configuration
Microsoft Kerberos Constrained Delegation Solution, page 1 Configure Application Profile Customization Framework, page 7 Encoding, page 11 Use Email over Clientless SSL VPN, page 13 Microsoft Kerberos
More informationMCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams
MCSE Server Infrastructure This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams 1. MCSE: Server Infrastructure / Exam 70-413 (Designing and Implementing
More information70-647: Windows Server Enterprise Administration. Course Overview. Course Outline
70-647: Windows Server Enterprise Administration Course Overview Windows Server Enterprise Administration teaches the student how to maintain the Windows Server 2008 R2 environment. Students will learn
More informationOrganizational Units. What Is an OU? OU Hierarchies
What Is an OU?, page 1 OU Hierarchies, page 1 Cisco Root OU, page 2 Facility OU, page 3 Instance OU, page 3 Security Groups, page 4 What Is an OU? An OU is a container in the AD domain that can contain
More information1. All domain user accounts, and who can change the security permissions protecting them
Gold Finger The World s Only Accurate Resultant-Access and Security Assessment, Audit and Reporting Solution for Active Directory The Top-100 Reports that Gold Finger can generate, on-demand, in real-time,
More information20742: Identity with Windows Server 2016
Course Content Course Description: This five-day instructor-led course teaches IT Pros how to deploy and configure Active Directory Domain Services (AD DS) in a distributed environment, how to implement
More informationIdentity with Windows Server 2016
Identity with Windows Server 2016 20742B; 5 days, Instructor-led Course Description This five-day instructor-led course teaches IT Pros how to deploy and configure Active Directory Domain Services (AD
More informationMETHODOLOGY This program will be conducted with interactive lectures, PowerPoint presentations, discussions and practical exercises.
CENTER OF KNOWLEDGE, PATH TO SUCCESS Website: IDENTITY WITH WINDOWS SERVER 2016 Course 20742: 5 days; Instructor-Led INTRODUCTION This five-day instructor-led course teaches IT Pros how to deploy and configure
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 15 Create an Identity Rule, page 15 Manage a Realm, page 20 Manage an Identity
More informationAD RMS Key Concepts Deploying AD RMS in complex Scenarios Multiple forests Logically isolated environments Physically isolated environments Centralized licensing Integrating Partners Extranet Active Directory
More informationCISNTWK-11. Microsoft Network Server. Chapter 5 Introduction Permissions i and Shares
CISNTWK-11 Microsoft Network Server Chapter 5 Introduction Permissions i and Shares 1 In a Nutshell Payroll Data? Payroll Data? Introduction A permission is a rule associated with an object, such as a
More informationActive Directory in Networks Segmented by Firewalls
Active Directory in Networks Segmented by Firewalls Microsoft Corporation Published: July 2002 Updated: October 2004 Abstract Microsoft Active Directory service domain controllers are increasingly being
More informationMCITP CURRICULUM Windows 7
MCITP CURRICULUM 70-680 Windows 7 Installing, Upgrading, and Migrating to Windows 7 Describe the key features, editions, and hardware requirements of Windows 7 Perform a clean installation of Windows 7
More informationPKI Configuration Examples
PKI Configuration Examples Keywords: PKI, CA, RA, IKE, IPsec, SSL Abstract: The Public Key Infrastructure (PKI) is a general security infrastructure for providing information security through public key
More informationDoD Common Access Card Authentication. Feature Description
DoD Common Access Card Authentication Feature Description UPDATED: 20 June 2018 Copyright Notices Copyright 2002-2018 KEMP Technologies, Inc. All rights reserved. KEMP Technologies and the KEMP Technologies
More informationRSA Authentication Manager 7.1 Migration Guide
RSA Authentication Manager 7.1 Migration Guide Contact Information See the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo are
More informationEndpoint Protection with DigitalPersona Pro
DigitalPersona Product Brief Endpoint Protection with DigitalPersona Pro An introductory technical overview to DigitalPersona s suite for Access Management, Data Protection and Secure Communication. April
More informationNumerics I N D E X. 3DES (Triple Data Encryption Standard), 48
I N D E X Numerics A 3DES (Triple Data Encryption Standard), 48 Access Rights screen (VPN 3000 Series Concentrator), administration, 316 322 Action options, applying to filter rules, 273 adding filter
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger CSE543 - Introduction to Computer and Network Security 1 Kerberos History: from UNIX to Networks (late
More informationModule: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Authentication Professor Trent Jaeger 1 Kerberos History: from UNIX to Networks (late 80s) Solves: password eavesdropping Also mutual authentication
More informationKerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811
Kerberos Constrained Delegation Authentication for SEG V2 VMware Workspace ONE UEM 1811 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you
More informationKerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810
Kerberos Constrained Delegation Authentication for SEG V2 VMware Workspace ONE UEM 1810 You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you
More informationCOPYRIGHTED MATERIAL. Configuring, Deploying, and Troubleshooting Security Templates. Chapter MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:
Chapter 1 Configuring, Deploying, and Troubleshooting Security Templates MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER: Configure security templates. Configure registry and file system permissions.
More informationreview of the potential methods
Mandatory iscsi Security review of the potential methods IPS Interim Meeting Nashua NH, May 01 2001 Ofer Biran Thanks to: IBM Research Lab in Haifa Bernard Aboba, David Black, Julian Satran, Steve Senum
More informationExam Questions Demo Microsoft. Exam Questions
Microsoft Exam Questions 70-413 Designing and Implementing a Server Infrastructure Version:Demo 1. Your network contains an Active Directory domain. All servers run Windows Server 2012 R2. The domain contains
More informationLotus Domino Security NSL, Web SSO, Notes ID vault. Collin Murray Program Director, Lotus Domino Product Management
Lotus Domino Security NSL, Web SSO, Notes ID vault Collin Murray Program Director, Lotus Domino Product Management Challenge: Reduce Cost of Ownership IBM Lotus Notes and Domino have been providing a secure
More informationActive Directory trust relationships
Active Directory trust relationships A trust relationship consists of two domains and provides the necessary configuration between them to grant security principals on one side of the trust permission
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More information70-647: Windows Server Enterprise Administration Course 01 Planning for Active Directory
70-647: Windows Server Enterprise Administration Course 01 Planning for Active Directory Slide 1 Course 1 Planning for Active Directory Planning the Domains and Forest Structure Planning for Sites and
More informationRadius, LDAP, Radius, Kerberos used in Authenticating Users
CSCD 303 Lecture 5 Fall 2018 Radius, LDAP, Radius, Kerberos used in Authenticating Users Kerberos Authentication and Authorization Previously Said that identification, authentication and authorization
More informationMOC 6419B: Configuring, Managing and Maintaining Windows Server based Servers
MOC 6419B: Configuring, Managing and Maintaining Windows Server 2008- based Servers Course Overview This instructor-led course provides students with the knowledge and skills that are required to manage
More informationMicrosoft Exam Windows Server 2008 Active Directory, Configuring Version: 41.0 [ Total Questions: 631 ]
s@lm@n Microsoft Exam 70-640 Windows Server 2008 Active Directory, Configuring Version: 41.0 [ Total Questions: 631 ] Topic break down Topic No. of Questions Topic 1: Volume A 100 Topic 2: Volume B 100
More information10/4/2016. Advanced Windows Services. IPv6. IPv6 header. IPv6. IPv6 Address. Optimizing 0 s
Advanced Windows Services IPv6 IPv6 FSRM, FCI, DAC and RMS PKI IPv6 IP is the foundation of nearly all communication The number of addresses is limited Technologies like NAT help in addition to enhancements
More informationSession 7: Configuration Manager
Session 7: Configuration Manager Mark Aslett Consultant Adam Shepherd Consultant MCS Talks Infrastructure Architecture Agenda Introduction Gathering requirements Core Concepts Hierarchy Design Scaling
More informationRealms and Identity Policies
The following topics describe realms and identity policies: About, page 1 Create a Realm, page 8 Create an Identity Policy, page 14 Create an Identity Rule, page 15 Manage a Realm, page 17 Manage an Identity
More informationNetwork Security: Kerberos. Tuomas Aura
Network Security: Kerberos Tuomas Aura Kerberos authentication Outline Kerberos in Windows domains 2 Kerberos authentication 3 Kerberos Shared-key protocol for user login authentication Uses passwords
More informationOpenVMS Security Update 1M01
OpenVMS Update M0 Helmut Ammer TCSC München Agenda Ratings ITSEC E C & E B update on V6. TCSEC C Ramp -> > Common Criteria COE DII Current Projects: Enterprise Features & Projects History Per- Profiles
More informationMCSA Windows Server 2012
MCSA Windows Server 2012 This Training Program prepares and enables learners to Pass Microsoft MCSA: Windows Server 2012 exams 1. MCSA: Windows Server 2012 / 70-410 Exam (Installing and Configuring Windows
More informationInstalling and Configuring Windows Server 2012 R2
Installing and Configuring Windows Server 2012 R2 Exam 70-410 Craig Zacker Wiley Lesson 1: Installing Servers 1 Selecting a Windows Server 2012 R2 Edition 2 Supporting Server Roles 3 Supporting Server
More informationUser Authentication. Modified By: Dr. Ramzi Saifan
User Authentication Modified By: Dr. Ramzi Saifan Authentication Verifying the identity of another entity Computer authenticating to another computer Person authenticating to a local/remote computer Important
More informationNCP Secure Enterprise Management for Windows Release Notes
Service Release: 5.01 r40724 Date: August 2018 Prerequisites Operating System Support The following Microsoft Operating Systems are supported with this release: Windows Server 2019 Version 1809 Windows
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationCERTIFICATES AND CRYPTOGRAPHY
Ing. Ondřej Ševeček GOPAS a.s. MCM: Directory Services MVP: Enterprise Security Certified Ethical Hacker ondrej@sevecek.com www.sevecek.com CERTIFICATES AND CRYPTOGRAPHY Advanced Windows Security MOTIVATION
More informationMCSA Windows Server 2012 Configuring Advanced Services
Session 1 MCSA Windows Server 2012 Configuring Advanced Services Section A: Windows Server 412 70-412 Project Network Load Balancing Prerequisites for NLB Install NLB Cluster Configuration Unicast vs.
More informationDesigning and Implementing a Server Infrastructure
Designing and Implementing a Server Infrastructure Duration: 5 Days Course Code: 20413 About this course Get hands-on instruction and practice planning, designing and deploying a physical and logical Windows
More information